JSU improves cybersecurity in light of February breach

Jacksonville State University is instituting changes in the way it handles data on its server due to a security breach in February – but it could have been worse.

Vinson Houston, JSU’s chief information officer in the information technology department said in an interview that it is one of his department’s responsibilities to ensure data – including everything from fraternity affiliation to credit card accounts – stayed out of the hands of potential threats.

“We do the programming and maintenance for the centralized software the university uses to run its day-to-day operations that students utilize to pay their bills, manage their accounts and those type things,” Houston said.

The university currently has two firewalls: a primary firewall that faces outward and an internal firewall that faces in to protect enterprise data.

Thomas Madden, a retired federal Chief Information Security Officer for the Centers of Disease Control compared computer firewalls to what firewalls were before the computer era.

“Original firewalls are in vehicles. They are in between the engine and the driver. Computer firewalls are the same way,” Madden said in an interview. “They stop attacks from coming in from the outside, and they aren’t bulletproof.”

Houston said the university pays around $90,000 to $100,000 for its firewall.

In February 2016, JSU student and faculty information was published on a website which stated it was untraceable. The website included pictures, classification, birthdays, organizational affiliations, student numbers and addresses of current students, graduates and faculty.

While JSU’s Department of Information Technology and law enforcement had tracked down the website publisher and shut down the website in less than a week, the university could suffer from decreased reliability in cybersecurity.

According to a study conducted in June 2016 by the Ponemon Institute, the largest financial downfall to an organization after a security breach is the loss of trust between the business and its customers. The study also highlighted the root causes of data breach and some major positive and negative factors that influence the cost of breaches.

Factors that decrease costs of a breach per capita:

Incident response team ($16)

Extensive use of encryption ($13)

Employee training ($9)

Participation in threat training ($9)

BCM involvement ($9)

Use of DLP ($8)

CISO appointed ($7)

Board-level involvement ($6)

Data classification schema ($5)

Insurance protection ($5)

Factors that increase cost of a breach per capita:

Provision of ID protection (-$3)

Consultants engaged (-$5)

Lost or stolen devices (-$5)

Rush to notify (-$6)

Extensive cloud migration (-$12)

Third party involvement (-$14)

The breach in February did not include much more than directory information, but the university began implementing a few strategies listed by the Ponemon institute study, including security consultants and employee training.

“We are currently working with a security consultation firm to help us improve our security posture,” said Houston.

According to him, the university and the firm began a relationship a few months ago. He declined to give the name of the companies involved and the cost of the consultation and evaluation. He said this was the first year JSU has consulted for security evaluation and it looked like it was something they would take part in on an annual basis.

A cybersecurity consultant can cost “a couple thousand if you hire someone fresh out of college,” said Madden. He said for a consultant more renown, if can cost $50,000 or more per year.

“We work with multiple companies,” said university counsel Sam Monk in an email. “We have consulted with one firm that surveyed practices and procedures to help us identify any operational matters that should be addressed.”

The company’s report and the cybersecurity plan that will follow will only be discussed on a “need-to-know basis,” said Monk. The email went on to say the firm JSU hired was an Alabama company that has a “special knowledge of issues peculiar to higher education applications, processes and regulatory requirements.”

These companies, according to Madden, employ white hat hackers – or hackers who hack into networks in an effort to reveal weaknesses – in an effort to penetrate a system remotely, after which they are known as a “trusted insider.” When these hackers get inside, Madden said, they try to increase their privileges in order to create their own account. If they achieve that, they have free range of the system.

In addition to testing penetration, JSU’s consultants also “reviewed different policies and procedures and looked at adding additional training,” said Houston.

Another responsibility of the consultants was to hold different social engineering projects.

Houston said the consultants who visited the campus would plant storage devices with malware on them. The hackers could then “sit at the back of your computer and watch you” if someone plugged it into a computer.

Houston said they could attempt to phish users by sending emails from jsu.com or from a JSU-linked email account.

“They went in different offices to see kind of what’s going on, or they were lost or looking for something and they would observe and drop a flash drive to see what happens,” Houston said in reference to the white hat hackers.

“A lot of it falls back on employees and how they manage data they have access to,” said Houston

“A lot of people use the same network every day,” he said. “Universities are a waypoint for stolen documents and it gives the adversary deniability. With the data flow, it acts like camouflage.”

Madden also said with all the credit card accounts linked to university’s networks, there is a “treasure trove” for hackers.

According to Symantec’s research, while the education sector was at the top for incidents of security breach, it was near the bottom in identities exposed. This could mean that hackers are looking for something other than identities to steal.

“We’ve been more fortunate than all our peer institutions,” Houston said in reference to the number of JSU’s breach occurrences. “Part of that could be we aren’t really a research institution.”

He said that targets for hackers are institutions that research diseases and have other trade secrets that may be desirable to someone else.

“If you look at the number of instances we’ve had compared to the number of instances they’ve had, theirs has been far more disruptive, being the type of information exposed,” said Houston, also pointing out JSU has not had a full-time staff dedicated to cybersecurity like other institutions.

Houston said the incident in February was not as bad as it could have been.

“You don’t want people’s photos out there and their home addresses and their classification, but that goes back to a matter of an internal compromise,” he said. “We had some student workers that had their credentials exposed. And as a result, that allowed this person to gain access to the system, to allow them to extract some information that otherwise he would not have had access to.”

“As far as I knew, they were just friends. I saw them hanging out a lot,” the source said. “It was generally accepted that Kurt gave his password over, whether he knew what the other fellow was planning on doing, I don’t know, however, my impression was not that he was coerced or that the information was taken.”

When asked how they knew that Nilsson gave up his credentials to the juvenile, the source said “he was fired, and then it was in the paper that he was arrested.”

Nilsson, according to the source, was a residential assistant in Dixon Hall at the time of the breach.

“JSU turned the case over to state and federal law enforcement agencies,” Monk said in his email. “We can make no comment on the status of the case.”

Monk did not know who Nilsson was and Houston declined to answer specific questions about the people involved in the case.

“Our IT team put together pieces of a story and the pieces started to fit,” Houston said regarding the investigation to find the person behind the website. “We gathered non-technical information and saw what made sense.”

Responding to a question posed about if there was a connection between the security consultation and the breach in February, Houston said: “Absolutely. We wanted to respond aggressively to identify any areas of weaknesses.”

In addition to the security firm, Houston cited FERPA training as an effort to educate employees of the university about the information they have access to and what information they can legally give out.

“If you have a key to the front door, I don’t care how good your alarm system is, and hackers know that,” said Houston, referring to internal threats to cybersecurity.

“Everything runs on computers and chips,” said Madden. It’s possible to hack into a network through an air conditioning unit or a copier, he said.

“You could have the best security system in the world, and at the end of the day you can get hacked,” said Houston. “You just have to do such things to show diligence, to show that you’re making a best case effort to protect your clients, which in our case is our students.”